"Targeting Data Breaches": A Win for Financial Institutions Victimized by Data Breaches

May 1, 2015

Late last year, Judge Paul A. Magnuson of the U.S. District Court for the District of Minnesota, issued a landmark decision in a class action data breach lawsuit against Target Corporation (“Target” or the “Company”), which was filed by banks and other financial institutions that were forced to incur significant losses due to an intrusion by hackers into Target’s card payment system. Target’s 2013 breach was one of the largest ever and, as detailed in the financial institutions’ operative complaint, was preventable had Target acted reasonably. 

By way of background, Target’s breach began in late 2013, when hackers first uploaded malware onto Target’s computer system after gaining access to the system from a vendor account. After residing on Target’s system for several weeks, the malware began collecting card data from Target’s customers as cards were swiped at payment terminals. The customer card data was then stored on Target’s system for a number of days before being sent to a server in Russia. The collection and extraction of the card data occurred over a period of two weeks in early December 2013. All told, the breach compromised the credit and debit card information of 110 million customers, including even customers who had not swiped their cards during that period. After the breach, a U.S. Senate Committee investigated the matter, uncovering a number of startling details, including: 

  • Target had voluntarily disabled security functions that would have automatically deleted the malware that carried out the breach; 
  • Target ignored numerous warnings (both external and internal) regarding the presence of the malware and the breach; 
  • Target had a practice of improperly retaining customer card data for months after transactions; and 
  • Target had failed to implement various security measures, pursuant to industry warnings and standards, that could have prevented the breach. 

Indeed, Target purported to learn about the breach only after federal authorities informed the Company that data from cards used at its stores were being sold on the black market. The cost of the breach to financial institutions has been significant. Financial institutions were forced not to only absorb fraudulent charges but they also incurred costs to, inter alia, reissue cards, increase monitoring activity, and communicate with customers about compromised accounts.

As a result of the breach, suits were filed by both affected consumers and financial institutions that issued the stolen cards. The financial institution plaintiffs, represented by a panel of attorneys including Kessler Topaz Meltzer & Check, LLP, asserted four claims in their complaint against Target: (I) Negligence; (II) Violation of Minnesota’s Plastic Card Security Act;1 (III) Negligence Per Se; and (IV) Negligent Misrepresentation by Omission. Target, in response, filed a Motion to Dismiss, and on December 2, 2014, Judge Magnuson issued an Opinion that served as a victory for the plaintiffs, denying the Motion as to Counts I–III. The Opinion is noteworthy for several reasons.

With respect to the negligence claim, the Court unequivocally found that the plaintiffs had sufficiently alleged that Target, as a merchant, owed a duty of care to protect card issuing banks from security breaches.2 The Court focused its attention on the allegations of wrongdoing by Target, which enabled the hackers to breach their computer system. In particular, the Court noted allegations that “Target purposely disabled one of the security features that would have prevented the harm” and “fail[ed] to heed the warning signs as the hackers’ attack began[.]” According to the Court, these allegations of wrongdoing by Target created a foreseeable risk of harm, thus imposing a general negligence duty of care upon Target. The Court was further swayed by Target’s unique position to prevent or stop the breach — as Target “was solely able and solely responsible to safeguard its and Plaintiffs’ customers’ data[.]” Also of note was the Court’s rejection of Target’s argument that to establish a duty of care, there must be a “special relationship” between Target and the financial institution plaintiffs.

This case, and the instant decision, is truly set apart from other data breach litigation by the inclusion of the Plastic Card Security Act claim. Not only does Judge Magnuson’s Opinion mark the first time that any court has interpreted the Act, but to date, no other data breach case has included a similar statutory claim. In short, the Act prohibits merchants conducting business in Minnesota to retain credit and debit card information, and where merchants retain such information and suffer a security breach, the merchants are liable to card issuing banks for the costs associated with responding to the breach. In its Motion, Target challenged plaintiffs’ claim under the Act, arguing that it applies only to transactions that occur in Minnesota — a limitation which would severely limit its application in this case, given Target’s nationwide presence. The Court, however, rejected Target’s argument, finding that “[t]he Act does not apply only to business transactions that take place in Minnesota[,]” rather “it applies only to Minnesota companies’ data security practices[.]” Because Target is a Minnesota company that conducts business in Minnesota, the Court held that the Act applies to Target’s data retention practices with respect to both in-state and out-of-state transactions. Thus, the claim was allowed to proceed.

The parties are now engaged in discovery, with class certification and dispositive motions to follow. Nevertheless, the wider implications of Judge Magnuson’s Opinion cannot be understated and may help pave the way for future litigation on behalf of card issuing banks and other financial institutions that have incurred losses as a result of data breaches where the defendants’ conduct contributed to the damages


1Minnesota’s Plastic Card Act, Minn. Stat. § 325E.64, subd. 2 and 3, states that: 

No person or entity conducting business in Minnesota that accepts [a credit or debit card] in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction . . .

Whenever there is a breach of the security of the system of a person or entity that has violated this section . . . that person or entity shall reimburse the financial institution that issued any [credit or debit cards] affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders . . . 

2See generally, In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14–2522 (PAM/JJK), 2014 WL 6775314 (D. Minn. Dec. 2, 2014).

Related People
D 484.270.1475